Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Size: px
Start display at page:

Download "Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning"

Transcription

1 Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by Mouha et al., currently being considered for standardization by ISO/IEC and ITU-T. Chaskey uses an ARX structure very similar to SipHash. We present the first cryptanalysis of Chaskey in the single user setting, with a differential-linear attack against 6 and 7 rounds, hinting that the full version of Chaskey with 8 rounds has a rather small security margin. In response to these attacks, a 12-round version has been proposed by the designers. To improve the complexity of the differential-linear cryptanalysis, we refine a partitioning technique recently proposed by Biham and Carmeli to improve the linear cryptanalysis of addition operations. We also propose an analogue improvement of differential cryptanalysis of addition operations. Roughly speaking, these techniques reduce the data complexity of linear and differential attacks, at the cost of more processing time per data. It can be seen as the analogue for ARX ciphers of partial key guess and partial decryption for SBox-based ciphers. When applied to the differential-linear attack against Chaskey, this partitioning technique greatly reduces the data complexity, and this also results in a reduced time complexity. While a basic differential-linear attack on 7 round takes 2 78 data and time (respectively 2 35 for 6 rounds), the improved attack requires only 2 48 data and 2 67 time (respectively 2 25 data and 2 29 time for 6 rounds). We also show an application of the partitioning technique to FEAL-8X, and we hope that this technique will lead to a better understanding of the security of ARX designs. Keywords: Differential cryptanalysis, linear cryptanalysis, ARX, addition, partitioning, Chaskey, FEAL 1 Introduction Linear cryptanalysis and differential cryptanalysis are the two major cryptanalysis techniques in symmetric cryptography. Differential cryptanalysis was introduced by Biham and Shamir in 1990 [6], by studying the propagation of differences in a cipher. Linear cryptanalysis was discovered in 1992 by Matsui [29,28], using a linear approximation of the non-linear round function. In order to apply differential cryptanalysis (respectively, linear cryptanalysis), the cryptanalyst has to build differentials (resp. linear approximations) for each round of a cipher, such the output difference of a round matches the input 1

2 difference of the next round (resp. linear masks). The probability of the full differential or the imbalance of the full linear approximation is computed by multiplying the probabilities (respectively imbalances) of each round. This yields a statistical distinguisher for several rounds: A differential distinguisher is given by a plaintext difference δ P and a ciphertext difference δ C, so that the corresponding probability p is non-negligible: p = Pr [ E(P δ P ) = E(P ) δ C ] 2 n. The attacker collects D = O(1/p) pairs of plaintexts (P i, P i ) with P i = P i δ P, and checks whether a pair of corresponding ciphertexts satisfies C i = C i δ C. This happens with high probability for the cipher, but with low probability for a random permutation. A linear distinguisher is given by a plaintext mask χ P and a ciphertext mask χ C, so that the corresponding imbalance 1 ε is non-negligible: ε = 2 Pr [ P [χp ] = C[χ C ] ] 1 2 n/2. The attacker collects D = O(1/ε 2 ) known plaintexts P i and the corresponding ciphertexts C i, and computes the observed imbalance ˆε: ˆε = 2 # {i : P i [χ P ] = C i [χ C ]} /D 1. The observed imbalance is close to ε for the attacked cipher, and smaller than 1/ D (with high probability) for a random function. Last round attacks. The distinguishers are usually extended to a key-recovery attack on a few more rounds using partial decryption. The main idea is to guess the subkeys of the last rounds, and to compute an intermediate state value from the ciphertext and the subkeys. This allows to apply the distinguisher on the intermediate value: if the subkey guess was correct the distinguisher should succeed, but it is expected to fail for wrong key guesses. In a Feistel cipher, the subkey for one round is usually much shorter than the master key, so that this attack recovers a partial key without considering the remaining bits. This allows a divide and conquer strategy were the remaining key bits are recovered by exhaustive search. For an SBox-based cipher, this technique can be applied if the difference δ C or the linear mask χ C only affect a small number of SBoxes, because guessing the key bits affecting those SBoxes is sufficient to invert the last round. ARX ciphers. In this paper we study the application of differential and linear cryptanalysis to ARX ciphers. ARX ciphers are a popular category of ciphers built using only additions (x y), bit rotations (x n), and bitwise xors (x y). These simple operations are very efficient in software and in hardware, but they 1 The imbalance is also called correlation. 2

3 interact in complex ways that make analysis difficult and is expected to provide security. ARX constructions have been used for block ciphers (e.g. TEA, XTEA, FEAL, Speck), stream ciphers (e.g. Salsa20, ChaCha), hash functions (e.g. Skein, BLAKE), and for MAC algorithms (e.g. SipHash, Chaskey). The only non-linear operation in ARX ciphers is the modular addition. Its linear and differential properties are well understood [41,37,27,36,43,33,15], and differential and linear cryptanalysis have been use to analyze many ARX designs (see for instance the following papers: [4,45,44,24,25,18,8,29]). However, there is no simple way to extend differential or linear distinguishers to last-round attack for ARX ciphers. The problem is that they typically have 32-bit or 64-bit words, but differential and linear characteristics have a few active bits in each word. 2 Therefore a large portion of the key has to be guessed in order to perform partial decryption, and this doesn t give efficient attacks. Besides, differential and linear cryptanalysis usually reach a limited number of rounds in ARX designs because the trails diverge quickly and we don t have good techniques to keep a low number of active bits. This should be contrasted with SBox-based designs where it is sometimes possible to build iterative trails, or trails with only a few active SBoxes per round. For instance, this is case for differential characteristics in DES [7] and linear trails in PRESENT [14]. Because of this, cryptanalysis methods that allow to divide a cipher E into two sub-ciphers E = E E are particularly interesting for the analysis of ARX designs. In particular this is the case with boomerang attacks [42] and differential-linear cryptanalysis [23,5]. A boomerang attack uses differentials with probabilities p and p in E and E, to build a distinguisher with complexity O(1/p 2 p2 ). A differential-linear attack uses a differential with probability p for E and a linear approximation with imbalance ε for E to build a distinguisher with complexity about O(1/p 2 ε 4 ) (using a heuristic analysis). Table 1. Key-recovery attacks on Chaskey Rounds Data Time Gain bit Differential-Linear bits Differential-Linear with partitioning bit Differential-Linear bits Differential-Linear with partitioning Our results. In this paper, we consider improved techniques to attack ARX ciphers, with application to Chaskey. Since Chaskey has a strong diffusion, we start with differential-linear cryptanalysis, and we study in detail how to build a 2 A notable counterexample is FEAL, which uses only 8-bit additions. 3

4 good differential-linear distinguisher, and how to improve the attack with partial key guesses. Our main technique follows a recent paper by Biham and Carmeli [3], by partitioning the available data according to some plaintext and ciphertext bits. In each subset, some data bits have a fixed value and we can combine this information with key bit guesses to deduce bits after the key addition. These known bits result in improved probabilities for differential and linear cryptanalysis. While Biham and Carmeli considered partitioning with a single control bit (i.e. two partitions), and only for linear cryptanalysis, we extend this analysis to multiple control bits, and also apply it to differential cryptanalysis. When applied to differential and linear cryptanalysis, this results in a significant reduction of the data complexity. Alternatively, we can extend the attack to a larger number of rounds with the same data complexity. Those results are very similar to the effect of partial key guess and partial decryption in a last-round attack: we turn a distinguisher into a key recovery attack, and we can add some rounds to the distinguisher. While this can increase the time complexity in some cases, we show that the reduced data complexity usually leads to a reduced time complexity. In particular, we adapt a convolution technique used for linear cryptanalysis with partial key guesses [16] in the context of partitioning. These techniques result in significant improvements over the basic differentiallinear technique: for 7 rounds of Chaskey (respectively 6 rounds), the differentiallinear distinguisher requires 2 78 data and time (respectively 2 35 ), but this can be reduced to 2 48 data and 2 67 time (respectively 2 25 data and 2 29 time) (see Table 1). The full version of Chaskey has 8 rounds, and is claimed to be secure against attacks with 2 48 data and 2 80 time. The paper is organized as follows: we first explain the partitioning technique for linear cryptanalysis in Section 2 and for differential cryptanalysis in Section 3. We discuss the time complexity of the attacks in Section 4. Then we demonstrate the application of this technique to the differential-linear cryptanalysis of Chaskey in Section 5. Finally, we show how to apply the partitioning technique to reduce the data complexity of linear cryptanalysis against FEAL-8X in Appendix A. 2 Linear Analysis of Addition We first discuss linear cryptanalysis applied to addition operations, and the improvement using partitioning. We describe the linear approximations using linear masks; for instance an approximation for E is written as Pr [ E(x)[χ ] = x[χ] ] = 1/2 ± ε/2 where χ and χ are the input and output linear masks (x[χ] denotes x[χ 1 ] x[χ 2 ] x[χ l ], where χ = (χ 1,... χ l ) and x[χ i ] is bit χ i of x), and ε 0 is the imbalance. We also denote the imbalance of a random variable x as I(x) = 2 Pr[x = 0] 1, and ε(x) = I(x). We will sometimes identify a mask with the integer with the same binary representation, and use an hexadecimal notation. 4

5 We first study linear properties of the addition operation, and use an ARX cipher E as example. We denote the word size as w. We assume that the cipher starts with an xor key addition, and a modular addition of two state variables. 3 We denote the remaining operations as E, and we assume that we know a linear approximation (α, β, γ) E (α, β, γ ) with imbalance ε for E. We further assume that the masks are sparse, and don t have adjacent active bits. Following previous works, the easier way to extend the linear approximation is to use the following masks for the addition: (α α 1, α) α. (1) As shown in Figure 1, this gives the following linear approximation for E: (α α 1, β α, γ) E (α, β, γ ). (2) In order to explain our technique, we initially assume that α has a single active bit, i.e. α = 2 i. We explain how to deal with several active bits in Section 2.3. If i = 0, the approximation of the linear addition has imbalance 1, but for other values of i, it is only 1/2 [43]. In the following we study the case i > 0, where the linear approximation (2) for E has imbalance ε/2. z 0 [γ] y 0 [β α] x 0 [α α 1] k z z 1 [γ] y 1 [β α] x 1 [α α 1] k y k x z 2 [γ] y 2 [β] x 2 [α] E z 3 [γ ] y 3 [β ] x 3 [α ] Fig. 1. Linear attack against the first addition 3 This setting is quite general, because any operation before a key addition can be removed, as well as any linear operation after the key addition. Ciphers where the key addition is made with a modular addition do not fit this model, but the technique can easily be adapted. 5

6 2.1 Improved analysis with partitioning We now explain the improved analysis of Biham and Carmeli [3]. A simple way to understand their idea is to look at the carry bits in the addition. More precisely, we study an addition operation s = a b, and we are interested in the value s[α]. We assume that α = 2 i, i > 0, and that we have some amount of input/output pairs. We denote individual bits of a as a 0, a 1,... a n 1, where a 0 is the LSB (respectively, b i for b and s i for s). In addition, we consider the carry bits c i, defined as c 0 = 0, c i+1 = MAJ(a i, b i, c i ) (where MAJ(a, b, c) = (a b) (b c) (c a)). Therefore, we have s i = a i b i c i. Note that the classical approximation s i = a i a i 1 b i holds with probability 3/4 because c i = a i 1 with probability 3/4. In order to improve this approximation, Biham and Carmeli partition the data according to the value of bits a i 1 and b i 1. This gives four subsets: 00 If (a i 1, b i 1 ) = (0, 0), then c i = 0 and s i = a i b i. 01 If (a i 1, b i 1 ) = (0, 1), then ε(c i ) = 0 and ε(s i a i a i 1 ) = If (a i 1, b i 1 ) = (1, 0), then ε(c i ) = 0 and ε(s i a i a i 1 ) = If (a i 1, b i 1 ) = (1, 1), then c i = 1 and s i = a i b i 1. If bits of a and b are known, filtering the data in subsets 00 and 11 gives a trail for the addition with imbalance 1 over one half of the data, rather than imbalance 1/2 over the full data-set. This can be further simplified to the following: s i = a i b i a i 1 if a i 1 = b i 1 (3) In order to apply this analysis to the setting of Figure 1, we guess the key bits ki 1 x and ky i 1, so that we can compute the values of x1 i 1 and y1 i 1 from x0 and y 0. More precisely, an attack on E can be performed with a single (logical) key bit guess, using Eq. (3): x 2 i = x 1 i y 1 i x 1 i 1 if x 1 i 1 = y 1 i 1 x 2 i = x 0 i y 0 i x 0 i 1 k x i k y i kx i 1 if x 0 i 1 y 0 i 1 = k x i 1 k y i 1 If we guess the key bit ki 1 x ky i 1, we can filter the data satisfying x0 i 1 y0 i 1 = ki 1 x ky i 1, and we have ε(x2 i x0 i y0 i x0 i 1 ) = 1. Therefore the linear approximation (2) has imbalance ε. We need 1/ε 2 data after the filtering for the attack to succeed, i.e. 2/ε 2 in total. The time complexity is also 2/ε 2 because we run the analysis with 1/ε 2 data for each key guess. This is an improvement over a simple linear attack using (2) with imbalance ε/2, with 4/ε 2 data. Complexity. In general this partitioning technique multiply the data and time complexity by the following ratio: R D lin = µ 1 / ε 2 1/ε 2 = ε 2 /µ ε 2 R T lin = 2κ / ε 2 1/ε 2 = 2κ ε 2 / ε 2 (4) where µ is the fraction of data used in the attack, κ is the number of guessed key bits, ε is the initial imbalance, and ε is the improved imbalance for the selected subset. For Biham and Carmeli s attack, we have µ = 1/2, κ = 1 and ε = 2ε, hence R D lin = 1/2 and RT lin = 1/2. 6

7 2.2 Generalized partitioning ??? a i 0??? a i1??? a i 0 0?? a i 0 1?? a i1 0? +? b i 0?? +? b i 1?? +? b i 1 0? +? b i 1 1? +? b i 0 1?? s i???? s i???? s i???? s i???? s i??? Fig. 2. Some cases of partitioning for linear cryptanalysis of an addition We now refine the technique of Biham and Carmeli using several control bits. In particular, we analyze cases 01 and 10 with extra control bits a i 2 and b i 2 (some of the cases of shown in Figure 2): If (a i 1, b i 1, a i 2, b i 2 ) = (0, 1, 0, 0), then c i 1 = 0, c i = 0 and s i = a i b i If (a i 1, b i 1, a i 2, b i 2 ) = (0, 1, 0, 1), then ε(c i 1 ) = 0, ε(c i ) = 0, and ε(s i a i a i 1 ) = If (a i 1, b i 1, a i 2, b i 2 ) = (0, 1, 1, 0), then ε(c i 1 ) = 0, ε(c i ) = 0, and ε(s i a i a i 1 ) = If (a i 1, b i 1, a i 2, b i 2 ) = (0, 1, 1, 1), then c i 1 = 1, c i = 1 and s i = a i b i If (a i 1, b i 1, a i 2, b i 2 ) = (1, 0, 0, 0), then c i 1 = 0, c i = 0 and s i = a i b i If (a i 1, b i 1, a i 2, b i 2 ) = (1, 0, 0, 1), then ε(c i 1 ) = 0, ε(c i ) = 0, and ε(s i a i a i 1 ) = If (a i 1, b i 1, a i 2, b i 2 ) = (1, 0, 1, 0), then ε(c i 1 ) = 0, ε(c i ) = 0, and ε(s i a i a i 1 ) = If (a i 1, b i 1, a i 2, b i 2 ) = (1, 0, 1, 1), then c i 1 = 1, c i = 1 and s i = a i b i 1. This yields an improved partitioning because we now have a trail for the addition with imbalance 1 in 12 out of 16 subsets: 00.00, 00.01, 00.10, 00.11, 01.00, 01.11, 10.00, 10.11, 11.00, 11.01, 11.10, We can also simplify this case analysis: { ai b s i = i a i 1 a i b i a i 2 if a i 1 = b i 1 if a i 1 b i 1 and a i 2 = b i 2 (5) 7

8 This gives an improved analysis of E by guessing more key bits. More precisely we need ki 1 x ky i 1 and kx i 2 ky i 2, as shown below: { x 2 x 1 i = i yi 1 x1 i 1 x 1 i y1 i x1 i 2 x 0 x 2 i y0 i x0 i 1 kx i ky i kx i 1 i = x 0 i y0 i x0 i 2 kx i ky i kx i 2 ε(x 2 i x 0 i yi 0 x 0 i 1) = 1 ε(x 2 i x 0 i yi 0 x 0 i 2) = 1 if x 1 i 1 = y1 i 1 if x 1 i 1 y1 i 1 and x1 i 2 = y1 i 2 if x 0 i 1 y0 i 1 = kx i 1 ky i 1 if x 0 i 1 y0 i 1 kx i 1 ky i 1 and x 0 i 2 y0 i 2 = kx i 2 ky i 2 if x 0 i 1 y 0 i 1 = k x i 1 k y i 1 if x 0 i 1 y0 i 1 kx i 1 ky i 1 and x 0 i 2 y0 i 2 = kx i 2 ky i 2 Since this analysis yields different input masks for different subsets of the data, we use an analysis following multiple linear cryptanalysis [9]. We first divide the data into four subsets, depending on the value of x 0 i 1 y0 i 1 and x0 i 2 y0 i 2, and we compute the measured (signed) imbalance Î[s] of each subset. Then, for each guess of the key bits ki 1 x ky i 1, and kx i 2 ky i 2, we deduce the expected imbalance I k [s] of each subset, and we compute the distance to the observed imbalance as s (Î[s] I k[s]) 2. According to the analysis of Biryukov, De Cannière and Quisquater, the correct key is ranked first (with minimal distance) with high probability when using O(1/c 2 ) samples, where c 2 = i I2 i = i ε2 i is the capacity of the system of linear approximations. Since we use three approximations with imbalance ε, the capacity of the full system is 3ε 2, and we need 1/3 1/ε 2 data in each subset after partitioning, i.e. 4/3 1/ε 2 in total. Again, the complexity ratio of this analysis can be computed as Rlin D = ε2 /µ ε 2 Rlin T = 2κ ε 2 / ε 2 With µ = 3/4 and ε = 2ε, we find: R D lin = 1/3 R T lin = 1. The same technique can be used to refine the partitioning further, and give a complexity ratio of R D lin = 1/4 2κ /(2 κ 1) when guessing κ bits. Time complexity. In general, the time complexity of this improved partitioning technique is the same as the time complexity as the basic attack (R T lin = 1), because we have to repeat the analysis 4 times (for each key of the key bits) with one fourth of the amount of data. We describe some techniques to reduce the time complexity in Section Combining partitions Finally, we can combine several partitions to analyze an addition with several active bits. If we use k 1 partitions for the first bit, and k 2 for the second bit, this yields a combined partition with k 1 k 2 cases. If the bits are not close to each other, the gains of each bit are multiplied. This can lead to significant improvements even though R lin is small for a single active bit. 8

9 For more complex scenarios, we select the filtering bits assuming that the active bits don t interact, and we evaluate experimentally the probability in each subset. We can further study the matrix of probabilities to detect (logical) bits with no or little effect on the total capacity in order to improve the complexity of the attack. This will be used for our applications in Section 5 and Appendix A. 3 Differential Analysis of Addition k z δz 0 = γ δz 1 = γ k y δy 0 = β δy 1 = β k x δx 0 = α β δx 1 = α β δz 2 = γ δy 2 = β δx 2 = α δz 3 = γ δy 3 = β δx 3 = α Fig. 3. Differential attack against the first addition We now study differential properties of the addition. We perform our analysis in the same way as the analysis of Section 2, following Figure 3. We consider the first addition operation separately, and we assume that we know a differential (α, β, γ) (α, β, γ ) with probability p for the remaining of the cipher. Following previous works, a simple way to extend the differential is to linearize the first addition, yielding the following differences for the addition: α β, β α. Similarly to our analysis of linear cryptanalysis, we consider a single addition s = a b, and we first assume that a single bit is active through the addition. However, we have to consider several cases, depending on how many input/output bits are active. The cases are mostly symmetric, but there are important differences in the partitioning. 9

10 3.1 Analysis of (α = 0, β = 2 i ) With i < w 1, the probability for the addition is Pr[(2 i, 2 i ) 0] = 1/2. Improved analysis with structures. We first discuss a technique using multiple differentials and structures. More precisely, we use the following differentials for the addition: 4 D 1 : (2 i, 2 i ) 0 D 2 : (2 i 2 i+1, 2 i ) 0 [ Pr (2 i, 2 i ) [ Pr (2 i 2 i+1, 2 i ) 0 ] 0 = 1/2 ] = 1/4 We can improve the probability of D 2 using a partitioning according to (a i, a i+1 ): 00 If (a i, a i+1 ) = (0, 0), then a = a 2 i 2 i+1 and s s. 01 If (a i, a i+1 ) = (0, 1), then a = a 2 i and Pr[s = s ] = 1/2. 10 If (a i, a i+1 ) = (1, 0), then a = a 2 i and Pr[s = s ] = 1/2. 11 If (a i, a i+1 ) = (1, 1), then a = a 2 i 2 i+1 and s s. This can be written as: [ ] Pr (2 i, 2 i ) 0 = 1/2 [ ] Pr (2 i 2 i+1, 2 i ) 0 = 1/2 if a i a i+1 The use of structures allows to build pairs of data for both differentials from the same data set. More precisely, we consider the following inputs: p = (x 0, y 0, z 0 ) q = (x 0 2 i, y 0 2 i, z 0 ) r = (x 0 2 i+1, y 0, z 0 ) s = (x 0 2 i+1 2 i, y 0 2 i, z 0 ) We see that (p, q) and (r, s) follow the input difference of D 1, while (p, s) and (r, q) follow the input difference of D 2. Moreover, we have from the partitioning: Pr[E(p) E(q) = (α, β, γ )] = 1/2 p Pr[E(r) E(s) = (α, β, γ )] = 1/2 p Pr[E(p) E(s) = (α, β, γ )] = 1/2 p if x 0 i x 0 i+1 k x i k x i+1 Pr[E(r) E(q) = (α, β, γ )] = 1/2 p if x 0 i x 0 i+1 = k x i k x i+1 For each key guess, we select three candidate pair out of a structure of four plaintexts, and every pair follows a differential for E with probability p/2. Therefore we need 2/p pairs, with a data complexity of 8/3 1/p rather than 4 1/p. In general this partitioning technique multiply the data and time complexity by the following ratio: R D diff = p 1 T/(µT 2 /4) p 1 T/(T/2) = 2p µt p R T diff = 2 κ µr D diff = 2κ+1 p T p, (6) 4 Note that in the application to E, we can modify the difference in x 1 but not in y 1. 10

11 where µ is the fraction of data used in the attack, κ is the number of guessed key bits, T is the number of plaintexts in a structure (we consider T 2 /4 pairs rather than T/2 without structures) p is the initial probability, and p is the improved probability for the selected subset. Here we have µ = 3/4, κ = 1, T = 4, and p = p, hence R D diff = 2/3 R T diff = 1 Moreover, if the differential trail is used in a boomerang attack, or in a differential-linear attack, it impacts the complexity twice, but the involved key bits are the same, and we only need to use the structure once. Therefore, the complexity ratio should be evaluated as: R D diff-2 = p 2 T/(µT 2 /4) p 2 T/(T/2) In this scenario, we have the same ratios: = 2p2 µt p 2 R T diff-2 = 2 κ µr D diff-2 = 2κ+1 p 2 T p 2, (7) R D diff-2 = 2/3 R T diff-2 = 1 Generalized partitioning. We can refine the analysis of the addition by partitioning according to (b i ). This gives the following: Pr [ (2 i, 2 i ) 0 ] = 1 if a i b i Pr [ (2 i 2 i+1, 2 i ) 0 ] = 1 if a i = b i and a i a i+1 This gives an attack with T = 4, µ = 3/8, κ = 2 and p = 2p, which yield the same ratio in a simple differential setting, but a better ratio for a boomerang or differential-linear attack: R D diff = 2/3 R T diff = 1 R D diff-2 = 1/3 R T diff-2 = 1/2 In addition, this analysis allows to recover an extra key bit, which can be useful for further steps of an attack. Larger structure. Alternatively, we can use a larger structure to reduce the complexity: with a structure of size 2 t, we have an attack with a ratio R D diff = 1/2 2 κ /(2 κ 1), by guessing κ 1 key bits. 3.2 Analysis of (α = 2 i, β = 0) With i < w 1, the probability for the addition is Pr[(2 i, 0) 2 i ] = 1/2. 11

12 Improved analysis with structures. As in the previous section, we consider multiple differentials, and use partitioning to improve the probability: D 1 : [ Pr (2 i, 0) 2 i] = 1/2 D 2 : [ Pr (2 i 2 i+1, 0) 2 i] = 1/2 if a i a i+1 We also use structures in order to build pairs of data for both differentials from the same data set. More precisely, we consider the following inputs: p = (x 0, y 0, z 0 ) q = (x 0 2 i, y 0, z 0 ) r = (x 0 2 i+1, y 0, z 0 ) s = (x 0 2 i+1 2 i, y 0, z 0 ) We see that (p, q) and (r, s) follow the input difference of D 1, while (p, s) and (r, q) follow the input difference of D 2. Moreover, we have from the partitioning: Pr[E(p) E(q) = (α, β, γ )] = 1/2 p Pr[E(r) E(s) = (α, β, γ )] = 1/2 p Pr[E(p) E(s) = (α, β, γ )] = 1/2 p if x 0 i x 0 i+1 k x i k x i+1 Pr[E(r) E(q) = (α, β, γ )] = 1/2 p if x 0 i x 0 i+1 = k x i k x i+1 In this case, we also have µ = 3/4, T = 4, and p = p, hence R D diff = 2/3 R T diff = 1 R D diff-2 = 2/3 R T diff-2 = 1 Generalized partitioning. Again, we can refine the analysis of the addition by partitioning according to (s i ). This gives the following: Pr [ (2 i, 0) 2 i] = 1 if a i = s i Pr [ (2 i 2 i+1, 0) 2 i] = 1 if a i s i and a i a i+1 Since we can not readily filter according to bits of s, we use the results of Section 2: This gives: a i b i a i 1 = s i Pr [ (2 i, 0) 2 i] = 1 if a i 1 = b i 1 if b i = a i 1 and a i 1 = b i 1 Pr [ (2 i 2 i+1, 0) 2 i] = 1 if b i a i 1 and a i 1 = b i 1 and a i a i+1 Unfortunately, we can only use a small fraction of the pairs µ = 3/16. With T = 4 and p = 2p, this yields, an increase of the data complexity for a simple differential attack: R D diff = 4/3 R T diff = 1/2 R D diff-2 = 2/3 R T diff-2 = 1/4 12

13 3.3 Analysis of (α = 2 i, β = 2 i ) With i < w 1, the probability for the addition is Pr[(0, 2 i ) 2 i ] = 1/2. The results in this section will be the same as in the previous section, but we have to use a different structure. Indeed when this analysis is applied to E, we can freely modify the difference in x 0 but not in y 0, because it would affect the differential in E. More precisely, we use the following differentials: [ D 1 : Pr (0, 2 i ) 2 i] = 1/2 [ D 2 : Pr (2 i+1, 2 i ) 2 i] = 1/2 if a i+1 b i and the following structure: This yields: p = (x 0, y 0, z 0 ) q = (x 0, y 0 2 i, z 0 ) r = (x 0 2 i+1, y 0, z 0 ) s = (x 0 2 i+1, y 0 2 i, z 0 ) Pr[E(p) E(q) = (α, β, γ )] = 1/2 p Pr[E(r) E(s) = (α, β, γ )] = 1/2 p Pr[E(p) E(s) = (α, β, γ )] = 1/2 p if x 1 i x 0 i+1 k y i kx i+1 Pr[E(r) E(q) = (α, β, γ )] = 1/2 p if x 1 i x 0 i+1 = k y i kx i+1 4 Improving the Time Complexity The analysis of the previous sections assume that we repeat the distinguisher for each key guess, so that the data complexity is reduced in a very generic way. When this is applied to differential or linear cryptanalysis, it usually result in an increased time complexity (R T > 1). However, when the distinguisher is a simple linear of differential distinguisher, we can perform the analysis in a more efficient way, using the same techniques that are used in attacks with partial key guess against SBox-based ciphers. For linear cryptanalysis, we use a variant of Matsui s Algorithm 2 [28], and the improvement using convolution algorithm [16]; for differential cryptanalysis we filter out pairs that can not be a right pair for any key. In the best cases, the time complexity of the attacks can be reduced to essentially the data complexity. 4.1 Linear analysis We follow the analysis of Matsui s Algorithm 2, with a distillation phase using counters to keep track of the important features of the data, and an analysis phase for every key that requires only the counters rather than the full dataset. 13

14 More precisely, let us explain this idea within the setting of Section 2.2 and Figure 1. For each key guess, the attacker computes the observed imbalance over a subset S k corresponding to the data with x ( 0 i 1 y0 i 1 = kx i 1 ky i 1, or x 0 i 1 yi 1 0 kx i 1 ky i 1 and x0 i 2 y0 i 2 = kx i 2 ) ky i 2 : where (using α = 2 i ) Î = I Sk (P [χ P ] C[χ C ]) = 1/ S k S k ( 1) P [χ P ] C[χ C ] P [χ P ] C[χ C ] = x 2 i y 2 [β] z 2 [γ] x 3 [α ] y 3 [β ] z 3 [γ ] = x 0 i y0 i x0 i 1 y0 [β] z 0 [γ] x 3 [α ] y 3 [β ] z 3 [γ ] if x 0 i 1 y0 i 1 = kx i 1 ky i 1 x 0 i y0 i x0 i 2 y0 [β] z 0 [γ] x 3 [α ] y 3 [β ] z 3 [γ ] if x 0 i 1 y0 i 1 kx i 1 ky i 1 and x 0 i 2 y0 i 2 = kx i 2 ky i 2 Therefore, the imbalance can be efficiently reconstructed from a series of 2 4 counters keeping track of the amount of data satisfying every possible value of the following bits: x 0 i y 0 i x 0 i 1 y 0 [β] z 0 [γ] x 3 [α ] y 3 [β ] z 3 [γ ], x 0 i 1 x 0 i 2, x 0 i 1 y 0 i 1, x 0 i 2 y 0 i 2 This results in an attack where the time complexity is equal to the data complexity, plus a small cost to compute the imbalance. The analysis phase require only about 2 6 operations in this case (adding 2 4 counters for 2 2 key guesses). When the amount of data required is larger than 2 6, the analysis step is negligible. When several partitions are combined (with several active bits in the first additions), the number of counters increases to 2 b, where b is the number of control bits. To reduce the complexity of the analysis phase, we can use a convolution algorithm (following [16]), so that the cost of the distillation is only O(b 2 b ) rather than O(2 κ 2 b ). This will be explained in more details with the application to Chaskey in Section 5. In general, there is a trade-off between the number of partitioning bits, and the complexity. A more precise partitioning allows to reduce the data complexity, but this implies a larger set of counters, hence a larger memory complexity. When the number of partitioning bits reaches the data complexity, the analysis phase becomes the dominant phase, and the time complexity is larger than the data complexity. 4.2 Differential analysis For a differential attack with partitioning, we can also reduce the time complexity, by filtering pairs before the analysis phase. In the following, we assume that 14

15 we use a simple differential distinguisher with output difference δ, following Section 3 (where δ = (α, β, γ )) We first define a linear function L with rank n 1 (where n is the block size), so that L(δ ) = 0. In particular, any pair x, x = x δ satisfies L(x) = L(x ). This allows to detect collisions by looking at all values in a structure, rather than all pairs in a structure. We just compute L(E(x)) for all x s in a structure, and we look for collisions. 5 Application to Chaskey Chaskey is a recent MAC proposal designed jointly by researchers from COSIC and Hitachi [35]. The mode of operation of Chaskey is based on CBC-MAC with an Even-Mansour cipher; but it can also be described as a permutation-based design as seen in Figure 4. Chaskey is designed to be extremely fast on 32-bit micro-controllers, and the internal permutation follows an ARX construction with 4 32-bit words based on SipHash; it is depicted in Figure 5. Since the security of Chaskey is based on an Even-Mansour cipher, the security bound has a birthday term O(T D ). More precisely, the designers claim that it should be secure up to 2 48 queries, and 2 80 computations. m 0 m 1 m 2 K K K π π π τ Fig. 4. Chaskey mode of operation (full block message) v v 2 v v Fig. 5. One round of the Chaskey permutation. The full permutation has 8 rounds. So far, the only external cryptanalysis results on Chaskey are generic attacks in the multi-user setting [30]. The only analysis of the permutation is in the submission document; the best result is a 4 round bias, that can probably be 15

16 extended into a 5 round attack following the method of attacks against the Salsa family[1]. It is important to try more advanced techniques in order to understand the security of Chaskey, in particular because it is being considered for standardization. 5.1 Differential-linear cryptanalysis Table 2. Probabilities of the best differential characteristics of Chaskey reported by the designers [35] Rounds: Probability: The best differential characteristics found by the designers of Chaskey quickly become unusable when the number of rounds increase (See Table 2). The designers also report that those characteristics have an hourglass structure : there is a position in the middle where a single bit is active, and this small difference is expanded by the avalanche effect when propagating in both direction. This is typical of ARX designs: short characteristics have a high probability, but after a few rounds the differences cannot be controlled and the probability decrease very fast. The same observation typically holds also for linear trails. Because of these properties, attacks that can divide the cipher E in two parts E = E E and build characteristics or trail for both half independently such as the boomerang attack or differential-linear cryptanalysis are particularly interesting. In particular, many attacks on ARX designs are based on the boomerang attack [46,31,11,26,22,39] or differential-linear cryptanalysis [20]. Since Chaskey never uses the inverse permutation, we cannot apply a boomerang attack, and we focus on differential-linear cryptanalysis. x δ i x E E χ i y δ o y χ i E E χ o z z χ o Fig. 6. Differential-linear cryptanalysis 16

17 E Differential-linear cryptanalysis uses a differential δ i δo with probability E p for E, and a linear approximation χ i χo with imbalance ε for E (see Figure 6). The attacker uses pairs of plaintexts (P i, P i ) with P i = P i δ i, and computes the observed imbalance ˆε = 2 # {i : C i [χ o ] = C i [χ o]} /D 1. Following the heuristic analysis of [5], the expected imbalance is about pε 2, which gives an attack complexity of O(2/p 2 ε 4 ): A pair of plaintext satisfies E (P ) E (P ) = δ o with probability p. In this case, we have E (P )[χ i ] E (P )[χ i ] = δ o [χ i ]. Without loss of generality, we assume that δ o [χ i ] = 0. Otherwise, we expect that E (P )[χ i ] E (P )[χ i ] is not biased. This gives the following: Pr [ E (P )[χ i ] E (P )[χ i ] = 0 ] = p + (1 p) 1/2 = 1/2 + p/2 (8) ε(e (P )[χ i ] E (P )[χ i ]) = p (9) We also have ε(e (P )[χ i ] C[χ o ]) = ε(e (P )[χ i ] C [χ o ]) = ε from the linear approximations. Combining with (9), we get ε(c[χ o ] C [χ o ]) = pε 2. A more rigorous analysis has been recently provided by Blondeau, Leander and Nyberg [13], but since we use experimental values to evaluate the complexity of our attacks, this heuristic explanation will be sufficient. 5.2 Using partitioning A differential-linear distinguisher can easily be improved using the results of Section 2 and 3. We can improve the differential and linear part separately, and combine the improvements on the differential-linear attack. More precisely, we have to consider structures of plaintexts, and to guess some key bits in the differential and linear parts. We partition all the potential pairs in the structures according to the input difference, and to the filtering bits in the differential and linear part; then we evaluate the observed imbalance Î[s] in every subset s. Finally, for each key guess k, we compute the expected imbalance I k [s] for each subset s, and then we evaluate the distance between the observed and expected imbalances as L(k) = s (Î[s] I k[s]) 2 (following the analysis of multiple linear cryptanalysis [10]). While we follow the analysis of multiple linear cryptanalysis to evaluate the complexity of our attack, we use each linear approximation on a different subset of the data, partitioned according to the filtering bits. In particular, we don t have to worry about the independence of the linear approximations. If we use structures of size T, and select a fraction µ diff of the input pairs with an improved differential probability p, and a fraction µ lin of the output pairs with an improved linear imbalance ε, the data complexity of the attack is O(µ lin µ 2 diff T/2 2/ p2 ε 4 ). This corresponds to a complexity ratio of Rdiff-2 D RD lin2. More precisely, using differential filtering bits p diff and linear filtering bits c lin, the subsets are defined by the input difference, the plaintext bits P [p diff ] 17

18 and the cipher text bits C[c lin ] and C [c lin ], with C = E(P ) and C = E(P ). In practice, for every P, P in a structure, we update the value of Î[P P, P [p lin ], C[c diff ], C [c diff ]]. We also take advantage of the Even-Mansour construction of Chaskey, without keys inside the permutation. Indeed, the filtering bits used to define the subsets s correspond to the key bits used in the attack. Therefore, we only need to compute the expected imbalance for the zero key, and we can deduce the expected imbalance for an arbitrary key as I kdiff,k lin [, p, c, c ] = I 0 [, p k lin, c k diff, c k diff ]. Time complexity. This description lead to an attack with low time complexity using an FFT algorithm, as described previously for linear cryptanalysis [16] and multiple linear cryptanalysis [19]. Indeed, the distance between the observed and expected imbalance can be written as: L(k) = s = s (Î[s] I k[s]) 2 (Î[s] I 0[s φ(k)]) 2, where φ(k diff, k lin ) = (0, k lin, k diff, k diff ) = s Î[s] 2 + s I 0 [s φ(k)] 2 2 s Î[s]I 0 [s φ(k)], where only the last term depend on the key. Moreover, this term can be seem as the φ(k)-th component of the convolution I 0 Î. Using the convolution theorem, we can compute the convolution efficiently with an FFT algorithm. This gives the following fast analysis: 1. Compute the expected imbalance I 0 [s] of the differential-linear distinguisher for the zero key, for every subset s. 2. Collect D plaintext-ciphertext pairs, and compute the observed imbalance Î[s] of each subset. 3. Compute the convolution I Î, and find k that maximizes coefficient φ(k). 5.3 Differential-linear Cryptanalysis of Chaskey In order to find good differential-linear distinguishers for Chaskey, we use a heuristic approach. We know that most good differential characteristics and good linear trails have an hourglass structure, with a single active bit in the middle. If a good differential-linear characteristics is given with this hourglass structure, we can divide E in three parts E = E E E, so that the single active bit in the differential characteristic falls between E and E, and the single active bit in the linear trail falls between E and E. We use this decomposition to look for good differential-linear characteristics: we first divide E in three parts, and E we look for a differential characteristic δ i δo in E (with probability p), a E differential-linear characteristic δ o χi in E (with imbalance b), and a linear E characteristic χ i χo in E (with imbalance ε), where δ o and χ i have a single 18

19 active bit. This gives a differential-linear distinguisher with imbalance close to bpε 2 : We consider a pair of plaintext (P, P ) with P = P δ i, and we denote X = E (P ), Y = E (X), C = E (Y ). We have X X = δ o with probability p. In this case, ε(y [χ i ] Y [χ i ]) = b Otherwise, we expect that Y [χ i ] Y [χ i ] is not biased. This gives the following: Pr [ Y [χ i ] Y [χ i ] = 0 ] = (1 p) 1/2 + p (1/2 + b/2) = 1/2 + bp/2 (10) ε(y [χ i ] Y [χ i ]) = bp (11) We also have ε(y [χ i ] C[χ o ]) = ε(y [χ i ] C [χ o ]) = ε from the linear approximations. Combining with (11), we get ε(c[χ o ] C [χ o ]) = bpε 2. In the E section, we can see the characteristic as a small differential-linear characteristic with a single active input bit and a single active output bit, or as a truncated differential where the input difference has a single active bit and the output value is truncated to a single bit. In other words, we use pairs of values with a single bit difference, and we look for a biased output bit difference. We ran an exhaustive search over all possible decompositions E = E E E (varying the number of rounds), and all possible positions for the active bits i at the input of E and the biased bit 5 j at the output of E. For each candidate, we evaluate experimentally the imbalance ε(e (x)[j] E (x 2 i )[j]), and we study the best differential and linear trails to build the full differential-linear distinguisher. This method is similar to the analysis of the Salsa family by Aumasson et al. [1]: they decompose the cipher in two parts E = E E, in order to combine a biased bit in E with an approximation of E. This approach allows to identify good differential-linear distinguisher more easily than by building full differential and linear trails. In particular, we avoid most of the heuristic problems in the analysis of differential-linear distinguishers (such as the presence of multiple good trails in the middle) by evaluating experimentally ε(e (x)[j] E (x 2 i )[j]) without looking for explicit trails in the middle. In particular, the transition between E and E is a transition between two differential characteristics, while the transition between E and E is a transition between two linear characteristics. 5.4 Attack against 6-round Chaskey The best distinguisher we identified for an attack against 6-round Chaskey uses 1 round in E, 4 rounds in E, and 1 round in E. The optimal differences and masks are: Differential for E with probability p 2 5 : v 0 [26], v 1 [26], v 2 [6, 23, 30], v 3 [23, 30] E v 2 [22] 5 We also consider pairs of adjacent bits, following the analysis of [15]. 19

20 v 3 23,30 8 6, ,23,30 v 2 6,31 22 v v v 3 v 2 [16] [16] 8 [24] [24] [16] [24] [15,16] [15,16,24] [24] 13 [5] [5] [5] [0,8,15] v 0 v [16,23,24] [16,24] 7 [16,24,31] [23,31] 16 [5] [23,31] Fig round attack: differential characteristic, and linear trail. Biased bit for E with imbalance ε = : v 2 [22] E v 2 [16] Linear approximations for E with imbalance ε = : v 2 [16] E v 0 [5], v 1 [23, 31], v 2 [0, 8, 15], v 3 [5] The differential and linear trails are shown in Figure 7. The expected imbalance is p ε ε 2 = This gives a differential-linear distinguisher with expected complexity in the order of D = 2/p 2 ε2 ε We can estimate the data complexity more accurately using [12, Eq. (11)]: we need about pairs of samples in order to reach a false positive rate of 2 4. Experimentally, with 2 34 pairs of samples (i.e data), the measured imbalance is larger than with probability 0.5; with random data, it is larger than with probability 0.1. This matches the predictions of [12], and confirms the validity of our differential-linear analysis. This simple differential-linear attack is more efficient than generic attacks against the Even-Mansour construction of Chaskey. It follows the usage limit of Chaskey, and reaches more rounds than the analysis of the designers. Moreover, it we can be improved significantly using the results of Sections 2 and 3. Analysis of linear approximations with partitioning. To make the description easier, we remove the linear operations at the end, so that the linear 20

21 trail becomes: v 2 [16] E v 1 [16, 24], v 2 [16, 23, 24], v 3 [24] We select control bits to improve the probability of the addition between v 1 and v 2 on active bits 16 and 24. Following the analysis of Section 2.2, we need v 1 [14] v 2 [14] and v 1 [15] v 2 [15] as control bits for active bit 16. To identify more complex control bits, we consider v 1 [14, 15, 22, 23], v 2 [14, 15, 22, 23] as potential control bits, as well as v 3 [23] because it can affect the addition on the previous half-round. Then, we evaluate the bias experimentally (using the round function as a black box) in order to remove redundant bits. This leads to the following 8 control bits: v 1 [14] v 2 [14] v 1 [14] v 1 [15] v 1 [22] v 1 [23] v 1 [15] v 2 [15] v 1 [15] v 3 [23] v 2 [22] v 2 [23] This defines 2 8 partitions of the ciphertexts, after guessing 8 key bits. We evaluated the bias in each partition, and we found that the combined capacity is c 2 = This means that we have the following complexity ratio R D lin = / (12) Analysis of differential with partitioning. There are four active bits in the first additions: Bit 23 in v 2 v 3 : (2 23, 2 23 ) 0 Bit 30 in v 2 v 3 : (2 30, 2 30 ) 2 31 Bit 6 in v 2 v 3 : (2 6, 0) 2 6 Bit 26 in v 0 v 1 : (2 26, 2 26 ) 0 Following the analysis of Section 3, we can use additional input differences for each of them. However, we reach a better trade-off by selected only three of them. More precisely, we consider 2 3 input differences, defined by δ i and the following extra active bits: v 2 [24] v 2 [31] v 0 [27] As explained in Section 2, we build structures of 2 4 plaintexts, where each structure provides 2 3 pairs for every input difference, i.e. 2 6 pairs in total. Following the analysis of Section 3, we use the following control bits to improve the probability of the differential: v 2 [23] v 2 [24] v 2 [30] v 3 [30] v 0 [26] v 0 [27] v 2 [24] v 3 [23] v 0 [27] v 1 [26] This divides each set of pairs into 2 5 subsets, after guessing 5 key bits. In total we have 2 8 subsets to analyze, according to the control bits and the multiple 21

22 differentials. We found that, for 18 of those subsets, there is a probability 2 2 to reach δ o (the probability is 0 for the remaining subsets). This leads to a complexity ratio: R D diff = R D diff-2 = / = 2/ / = 1/ This corresponds to the analysis of Section 3: we have a ratio of 2/3 for bits v 2 [23] and v 0 [27] (Section 3.1), and a ratio of 1/2 for v 2 [31] in the simple linear case. In the differential-linear case, we have respectively ratios of 1/3 and 1/4. Finally, the improved attack requires a data complexity in the order of: R D lin2 R D diff-2 D We can estimate the data complexity more accurately using the analysis of Biryukov, De Cannière and Quisquater [9]. First, we give an alternate description of the attack similar the multiple linear attack framework. Starting from D chosen plaintexts, we build 2 2 D pairs using structures, and we keep N = D samples per approximation after partitioning the differential and linear parts. The imbalance of the distinguisher is = Following [9, Corollary 1], the gain of the attack with D = 2 24 is estimated as 6.6 bits, i.e. the average key rank should be about 42 (for the 13-bit subkey). Using the FFT method of Section 5.2, we perform the attack with 2 24 counters Î[s]. Each structure of 24 plaintexts provides 2 6 pairs, so that we need 2 2 D operations to update the counters. Finally, the FFT computation require operations. We have implemented this analysis, and it runs in about 10s on a single core of a desktop PC. 6 Experimentally, we have a gain of about 6 bits (average key rank of 64 with 128 experiments); this validates our theoretical analysis. We also notice some key bits don t affect the distinguisher and cannot be recovered. On the other hand, the gain of the attack can be improved using more data, and further trade-offs are possible using larger or smaller partitions. 5.5 Attack against 7-round Chaskey The best distinguisher we identified for an attack against 7-round Chaskey uses 1.5 round in E, 4 rounds in E, and 1.5 round in E. The optimal differences and masks are: Differential for E with probability p = 2 17 : v 0 [8, 18, 21, 30], v 1 [8, 13, 21, 26, 30], v 2 [3, 21, 26], v 3 [21, 26, 27] E v 0 [31] 6 Haswell microarchitecture running at 3.4 GHz 22

23 Biased bit for E with imbalance ε = : v 0 [31] E v 2 [20] Linear approximations for E with imbalance ε = : v 2 [20] E v 0 [0, 15, 16, 25, 29], v 1 [7, 11, 19, 26], v 2 [2, 10, 19, 20, 23, 28], v 3 [0, 25, 29] This gives a differential-linear distinguisher with expected complexity in the order of D = 2/p 2 ε2 ε This attack is more expensive than generic attacks against on the Even-Mansour cipher, but we now improve it using the results of Sections 2 and 3. Analysis of linear approximations with partitioning. We use an automatic search to identify good control bits, starting from the bits suggested by the result of Section 2. We identified the following control bits: v 1 [3] v 1 [11] v 3 [10] v 1 [3] v 1 [11] v 3 [11] v 0 [15] v 3 [14] v 0 [15] v 3 [15] v 1 [11] v 1 [18] v 3 [17] v 1 [11] v 1 [18] v 3 [18] v 1 [3] v 2 [2] v 1 [3] v 2 [3] v 1 [11] v 2 [9] v 1 [11] v 2 [10] v 1 [11] v 2 [11] v 1 [18] v 2 [17] v 1 [18] v 2 [18] v 1 [2] v 1 [3] v 1 [9] v 1 [11] v 1 [10] v 1 [11] v 1 [17] v 1 [18] v 0 [14] v 0 [15] v 0 [15] v 1 [3] v 1 [11] v 1 [18] Note that the control bits identified in Section 2 appear as linear combinations of those control bits. This defines 2 19 partitions of the ciphertexts, after guessing 19 key bits. We evaluated the bias in each partition, and we found that the combined capacity is c 2 = This means that we gain the following factor: R D lin = / (13) This example clearly shows the power of the partitioning technique: using a few key guesses, we essentially avoid the cost of the last layer of additions. Analysis of differential with partitioning. We consider 2 9 input differences, defined by δ i and the following extra active bits: v 0 [9] v 0 [22] v 0 [31] v 0 [19] v 0 [14] v 0 [27] v 2 [22] v 2 [27] v 2 [4] As explained in Section 2, we build structures of 2 10 plaintexts, where each structure provides 2 9 pairs for every input difference, i.e pairs in total. Again, we use an automatic search to identify good control bits, starting from the bits suggested in Section 3. We use the following control bits to improve the 23

Similar documents

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL

More information

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks

More information

Differential Attack on Five Rounds of the SC2000 Block Cipher

Differential Attack on Five Rounds of the SC2000 Block Cipher Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com

More information

Linear Cryptanalysis of Reduced-Round Speck

Linear Cryptanalysis of Reduced-Round Speck Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be

More information

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,

More information

Differential-Linear Cryptanalysis of Serpent

Differential-Linear Cryptanalysis of Serpent Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Block Cipher Cryptanalysis: An Overview

Block Cipher Cryptanalysis: An Overview 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution

More information

Construction of Lightweight S-Boxes using Feistel and MISTY structures

Construction of Lightweight S-Boxes using Feistel and MISTY structures Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes

More information

Key Recovery with Probabilistic Neutral Bits

Key Recovery with Probabilistic Neutral Bits ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic

More information

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)

More information

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Cryptanalysis of SP Networks with Partial Non-Linear Layers Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École

More information

Complementing Feistel Ciphers

Complementing Feistel Ciphers Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,

More information

Linear Cryptanalysis

Linear Cryptanalysis Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

A Brief Comparison of Simon and Simeck

A Brief Comparison of Simon and Simeck A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based

More information

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information

More information

Data Complexity and Success Probability for Various Cryptanalyses

Data Complexity and Success Probability for Various Cryptanalyses Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity

More information

Linear Cryptanalysis Using Multiple Approximations

Linear Cryptanalysis Using Multiple Approximations Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in

More information

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard

More information

DD2448 Foundations of Cryptography Lecture 3

DD2448 Foundations of Cryptography Lecture 3 DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the

More information

Improbable Differential Cryptanalysis and Undisturbed Bits

Improbable Differential Cryptanalysis and Undisturbed Bits Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short

More information

Cube Attacks on Stream Ciphers Based on Division Property

Cube Attacks on Stream Ciphers Based on Division Property Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:

More information

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com

More information

Chapter 1 - Linear cryptanalysis.

Chapter 1 - Linear cryptanalysis. Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =

More information

Cryptanalysis of the SIMON Family of Block Ciphers

Cryptanalysis of the SIMON Family of Block Ciphers Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,

More information

Analysis of Differential Attacks in ARX Constructions

Analysis of Differential Attacks in ARX Constructions .. Analysis of Differential Attacks in ARX Constructions Gaëtan Leurent UCL Crypto Group University of Luxembourg Asiacrypt 2012 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions

More information

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]

More information

New attacks on Keccak-224 and Keccak-256

New attacks on Keccak-224 and Keccak-256 New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University

More information

Lecture 4: DES and block ciphers

Lecture 4: DES and block ciphers Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the

More information

Analysis of cryptographic hash functions

Analysis of cryptographic hash functions Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share

More information

and Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27

and Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27 Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last

More information

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information

More information

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau

More information

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/

More information

On Multiple Linear Approximations

On Multiple Linear Approximations On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium

More information

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk

More information

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer

More information

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3 Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information

More information

Structural Cryptanalysis of SASAS

Structural Cryptanalysis of SASAS tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which

More information

The Hash Function JH 1

The Hash Function JH 1 The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred

More information

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types

More information

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract

More information

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.

More information

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,

More information

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Cryptanalysis of SP Networks with Partial Non-Linear Layers Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,

More information

A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT

A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT Wentao Zhang 1, Zhenzhen Bao 1, Vincent Rijmen 2, Meicheng Liu 1 1.State Key Laboratory of Information

More information

Some attacks against block ciphers

Some attacks against block ciphers Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3

More information

Division Property: a New Attack Against Block Ciphers

Division Property: a New Attack Against Block Ciphers Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption

More information

MasterMath Cryptology /2 - Cryptanalysis

MasterMath Cryptology /2 - Cryptanalysis MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions

More information

Data complexity and success probability of statisticals cryptanalysis

Data complexity and success probability of statisticals cryptanalysis Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity

More information

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,

More information

Block Ciphers and Feistel cipher

Block Ciphers and Feistel cipher introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure

More information

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Cryptography Lecture 4 Block ciphers, DES, breaking DES Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages

More information

Linear Cryptanalysis of Reduced-Round PRESENT

Linear Cryptanalysis of Reduced-Round PRESENT Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable

More information

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense

More information

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline

More information

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Improved Multiple Impossible Differential Cryptanalysis of Midori128 Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,

More information

observations on the simon block cipher family

observations on the simon block cipher family observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,

More information

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,

More information

Bit-Pattern Based Integral Attack

Bit-Pattern Based Integral Attack Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,

More information

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia

More information

Improving the Time Complexity of Matsui s Linear Cryptanalysis

Improving the Time Complexity of Matsui s Linear Cryptanalysis Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement

More information

Solution of Exercise Sheet 7

Solution of Exercise Sheet 7 saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,

More information

S-box (Substitution box) is a basic component of symmetric

S-box (Substitution box) is a basic component of symmetric JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates

More information

Algebraic properties of SHA-3 and notable cryptanalysis results

Algebraic properties of SHA-3 and notable cryptanalysis results Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =

More information

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3

More information

Rotational Cryptanalysis in the Presence of Constants

Rotational Cryptanalysis in the Presence of Constants Rotational Cryptanalysis in the Presence of Constants Tomer Ashur 1 and Yunwen Liu 1,2 1 Dept. Electrical Engineering (ESAT), KU Leuven and iminds, Leuven, Belgium 2 College of Science, National University

More information

Truncated differential cryptanalysis of five rounds of Salsa20

Truncated differential cryptanalysis of five rounds of Salsa20 Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters

More information

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA : Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT

More information

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

A Unified Method for Finding Impossible Differentials of Block Cipher Structures A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai

More information

Chapter 2 - Differential cryptanalysis.

Chapter 2 - Differential cryptanalysis. Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered

More information

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation

More information

Linear Cryptanalysis of DES with Asymmetries

Linear Cryptanalysis of DES with Asymmetries Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has

More information

New Results in the Linear Cryptanalysis of DES

New Results in the Linear Cryptanalysis of DES New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two

More information

Towards Provable Security of Substitution-Permutation Encryption Networks

Towards Provable Security of Substitution-Permutation Encryption Networks Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,

More information

Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )

Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,

More information

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits

More information

Analysis of SHA-1 in Encryption Mode

Analysis of SHA-1 in Encryption Mode Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars

More information

Impossible Differential Cryptanalysis of Mini-AES

Impossible Differential Cryptanalysis of Mini-AES Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my

More information

Security Evaluation of Stream Cipher Enocoro-128v2

Security Evaluation of Stream Cipher Enocoro-128v2 Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of

More information

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction

More information

An Improved Affine Equivalence Algorithm for Random Permutations

An Improved Affine Equivalence Algorithm for Random Permutations An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,

More information

Cryptanalysis of Achterbahn

Cryptanalysis of Achterbahn Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,

More information

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical

More information

Symmetric Crypto Systems

Symmetric Crypto Systems T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers

More information

Computing the biases of parity-check relations

Computing the biases of parity-check relations Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET

More information

BLOCK CIPHERS KEY-RECOVERY SECURITY

BLOCK CIPHERS KEY-RECOVERY SECURITY BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote

More information

Optimized Interpolation Attacks on LowMC

Optimized Interpolation Attacks on LowMC Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Breaking Symmetric Cryptosystems Using Quantum Algorithms Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking

More information

Differential Fault Analysis of Trivium

Differential Fault Analysis of Trivium Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in

More information

Impossible Differential Attacks on 13-Round CLEFIA-128

Impossible Differential Attacks on 13-Round CLEFIA-128 Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential

More information

Stream Ciphers: Cryptanalytic Techniques

Stream Ciphers: Cryptanalytic Techniques Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic

More information

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra 1, Goutam Paul 1, Willi Meier 1 Indian Statistical Institute, Kolkata, India {subho,goutam.paul}@isical.ac.in FHNW, Windisch, Switzerland

More information

Key Difference Invariant Bias in Block Ciphers

Key Difference Invariant Bias in Block Ciphers Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC

More information

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Five-Round Algebraic Property of the Advanced Encryption Standard A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback